[
https://issues.apache.org/jira/browse/BOOKKEEPER-390?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13447829#comment-13447829
]
Rakesh R commented on BOOKKEEPER-390:
-------------------------------------
Hi All,
Following are my initial thoughts to kick start the discussion. I'm thinking of
kerberos based auth mechanism for the secure zk communications.
SASL authentication of ZooKeeper clients with the quorum is handled in the ZK
client independently of BK concerns. To enable strong ZK authentication, one
must create a suitable JaaS configuration, for example:
{code}
zk-jaas.conf
Client {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
useTicketCache=false
keyTab="/etc/bookkeeper/conf/bookie.keytab"
principal="bk/$HOSTNAME";
};
{code}
and then configure both the client and server processes to use it, for example
in bookkeeper configuration:
BK_OPTS="${BK_OPTS} -Dzookeeper.server.principal=zookeeper/hadoop
BK_OPTS="${BK_OPTS}
-Djava.security.auth.login.config=/etc/bookkeeper/conf/zk-jaas.conf"
BK_OPTS="${BK_OPTS} -Dzookeeper.kerberos.removeHostFromPrincipal=true"
BK_OPTS="${BK_OPTS} -Dzookeeper.kerberos.removeRealmFromPrincipal=true"
BK_OPTS="${BK_OPTS}
-Dzookeeper.property.authProvider.default=org.apache.zookeeper.server.auth.SASLAuthenticationProvider"
BK will then secure all znodes but for a few world-readable read-only ones
needed for clients to look up ledgers. All internal cluster operations will be
protected from unauthenticated ZK clients, or clients not authenticated to the
ZK principal. Presumably the only ZK clients authenticated to the ZK principal
will be those embedded in the BK server and BK clients.
Thanks,
Rakesh
> Provide support for ZooKeeper authentication
> --------------------------------------------
>
> Key: BOOKKEEPER-390
> URL: https://issues.apache.org/jira/browse/BOOKKEEPER-390
> Project: Bookkeeper
> Issue Type: New Feature
> Components: bookkeeper-client, bookkeeper-server
> Affects Versions: 4.0.0
> Reporter: Rakesh R
> Assignee: Rakesh R
>
> This JIRA adds support for protecting the state of Bookkeeper znodes on a
> multi-tenant ZooKeeper cluster.
> Use case: When user tries to run a ZK cluster in multitenant mode, where
> more than one client service would like to share a single ZK service instance
> (cluster). In this case the client services typically want to protect their
> data (ZK znodes) from access by other services (tenants) on the cluster. Say
> you are running BK, HBase or ZKFC instances, etc... having
> authentication/authorization on the znodes is important for both security and
> helping to ensure that services don't interact negatively (touch each other's
> data).
> Presently Bookkeeper does not have support for authentication or
> authorization while accessing to ZK. This should be added to the BK
> clients/server that are accessing the ZK cluster. In general it means calling
> addAuthInfo once after a session is established
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
